[oe] [meta-networking][PATCH] tcpdump: fix CVE-2017-11541, 11542, 11543

Wed Sep 13 03:21:47 UTC 2017

Please ignore this patch, the fixes has been included by:

   [oe] [meta-networking][PATCH] tcpdump: update to 4.9.2 to fix CVEs

Thanks
Wenzong

On 09/07/2017 05:49 PM, wenzong.fan at windriver.com wrote:
> From: Wenzong Fan <wenzong.fan at windriver.com>
> 
> Backport patches for fixing:
> - CVE-2017-11541:
>    https://nvd.nist.gov/vuln/detail/CVE-2017-11541
>    https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
> 
> - CVE-2017-11542:
>    https://nvd.nist.gov/vuln/detail/CVE-2017-11542
>    https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
> 
> - CVE-2017-11543:
>    https://nvd.nist.gov/vuln/detail/CVE-2017-11543
>    https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
> 
> The tests/* changes dropped to workaround patch error:
>    File tests/*.pcap: git binary diffs are not supported.
> 
> Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
> ---
>   ...541-In-safeputs-check-the-length-before-c.patch | 49 +++++++++++++
>   ...1-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch | 43 +++++++++++
>   ...543-Make-sure-the-SLIP-direction-octet-is.patch | 85 ++++++++++++++++++++++
>   .../recipes-support/tcpdump/tcpdump_4.9.1.bb       |  3 +
>   4 files changed, 180 insertions(+)
>   create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
>   create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
>   create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
> 
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
> new file mode 100644
> index 000000000..a83214b02
> --- /dev/null
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch
> @@ -0,0 +1,49 @@
> +From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
> +From: Guy Harris <guy at alum.mit.edu>
> +Date: Tue, 7 Feb 2017 11:40:36 -0800
> +Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
> + checking for a NUL terminator.
> +
> +safeputs() doesn't do packet bounds checking of its own; it assumes that
> +the caller has checked the availability in the packet data of all maxlen
> +bytes of data.  This means we should check that we're within the
> +specified limit before looking at the byte.
> +
> +This fixes a buffer over-read discovered by Kamil Frankowicz.
> +
> +Add a test using the capture file supplied by the reporter(s).
> +
> +CVE: CVE-2017-11541
> +
> +Upstream-Status: Backport
> +https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
> +
> +Drop the tests/* changes to workaroud patch error:
> +File tests/hoobr_safeputs.pcap: git binary diffs are not supported.
> +
> +Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
> +---
> + tests/TESTLIST            |   1 +
> + tests/hoobr_safeputs.out  |   2 ++
> + tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
> + util-print.c              |   2 +-
> + 4 files changed, 4 insertions(+), 1 deletion(-)
> + create mode 100644 tests/hoobr_safeputs.out
> + create mode 100644 tests/hoobr_safeputs.pcap
> +
> +diff --git a/util-print.c b/util-print.c
> +index 394e7d59..ec3e8de8 100644
> +--- a/util-print.c
> ++++ b/util-print.c
> +@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
> + {
> + 	u_int idx = 0;
> +
> +-	while (*s && idx < maxlen) {
> ++	while (idx < maxlen && *s) {
> + 		safeputchar(ndo, *s);
> + 		idx++;
> + 		s++;
> +--
> +2.13.0
> +
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
> new file mode 100644
> index 000000000..a177e7c0b
> --- /dev/null
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch
> @@ -0,0 +1,43 @@
> +From bed48062a64fca524156d7684af19f5b4a116fae Mon Sep 17 00:00:00 2001
> +From: Guy Harris <guy at alum.mit.edu>
> +Date: Tue, 7 Feb 2017 11:10:04 -0800
> +Subject: [PATCH] CVE-2017-11542/PIMv1: Add a bounds check.
> +
> +This fixes a buffer over-read discovered by Kamil Frankowicz.
> +
> +Add a test using the capture file supplied by the reporter(s).
> +
> +CVE: CVE-2017-11542
> +
> +Upstream-Status: Backport
> +https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae
> +
> +Drop the tests/* changes to workaroud patch error:
> +File tests/hoobr_pimv1.pcap: git binary diffs are not supported.
> +
> +Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
> +---
> + print-pim.c            |   1 +
> + tests/TESTLIST         |   1 +
> + tests/hoobr_pimv1.out  |  25 +++++++++++++++++++++++++
> + tests/hoobr_pimv1.pcap | Bin 0 -> 3321 bytes
> + 4 files changed, 27 insertions(+)
> + create mode 100644 tests/hoobr_pimv1.out
> + create mode 100644 tests/hoobr_pimv1.pcap
> +
> +diff --git a/print-pim.c b/print-pim.c
> +index 25525953..ed880ae7 100644
> +--- a/print-pim.c
> ++++ b/print-pim.c
> +@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
> + 			pimv1_join_prune_print(ndo, &bp[8], len - 8);
> + 		break;
> + 	}
> ++	ND_TCHECK(bp[4]);
> + 	if ((bp[4] >> 4) != 1)
> + 		ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
> + 	return;
> +
> +--
> +2.13.0
> +
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
> new file mode 100644
> index 000000000..36e3f6b0d
> --- /dev/null
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch
> @@ -0,0 +1,85 @@
> +From 7039327875525278d17edee59720e29a3e76b7b3 Mon Sep 17 00:00:00 2001
> +From: Guy Harris <guy at alum.mit.edu>
> +Date: Fri, 17 Mar 2017 12:49:04 -0700
> +Subject: [PATCH] CVE-2017-11543/Make sure the SLIP direction octet is valid.
> +
> +Report if it's not, and don't use it as an out-of-bounds index into an
> +array.
> +
> +This fixes a buffer overflow discovered by Wilfried Kirsch.
> +
> +Add a test using the capture file supplied by the reporter(s), modified
> +so the capture file won't be rejected as an invalid capture.
> +
> +CVE: CVE-2017-11543
> +
> +Upstream-Status: Backport
> +https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3
> +
> +Drop the tests/* changes to workaroud patch error:
> +File tests/slip-bad-direction.pcap: git binary diffs are not supported.
> +
> +Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
> +---
> + print-sl.c                    |  25 +++++++++++++++++++++++--
> + tests/TESTLIST                |   3 +++
> + tests/slip-bad-direction.out  |   1 +
> + tests/slip-bad-direction.pcap | Bin 0 -> 79 bytes
> + 4 files changed, 27 insertions(+), 2 deletions(-)
> + create mode 100644 tests/slip-bad-direction.out
> + create mode 100644 tests/slip-bad-direction.pcap
> +
> +diff --git a/print-sl.c b/print-sl.c
> +index 3fd7e898..a02077b3 100644
> +--- a/print-sl.c
> ++++ b/print-sl.c
> +@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
> + 	u_int hlen;
> +
> + 	dir = p[SLX_DIR];
> +-	ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
> ++	switch (dir) {
> +
> ++	case SLIPDIR_IN:
> ++		ND_PRINT((ndo, "I "));
> ++		break;
> ++
> ++	case SLIPDIR_OUT:
> ++		ND_PRINT((ndo, "O "));
> ++		break;
> ++
> ++	default:
> ++		ND_PRINT((ndo, "Invalid direction %d ", dir));
> ++		dir = -1;
> ++		break;
> ++	}
> + 	if (ndo->ndo_nflag) {
> + 		/* XXX just dump the header */
> + 		register int i;
> +@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
> + 		 * has restored the IP header copy to IPPROTO_TCP.
> + 		 */
> + 		lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
> ++		ND_PRINT((ndo, "utcp %d: ", lastconn));
> ++		if (dir == -1) {
> ++			/* Direction is bogus, don't use it */
> ++			return;
> ++		}
> + 		hlen = IP_HL(ip);
> + 		hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
> + 		lastlen[dir][lastconn] = length - (hlen << 2);
> +-		ND_PRINT((ndo, "utcp %d: ", lastconn));
> + 		break;
> +
> + 	default:
> ++		if (dir == -1) {
> ++			/* Direction is bogus, don't use it */
> ++			return;
> ++		}
> + 		if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
> + 			compressed_sl_print(ndo, &p[SLX_CHDR], ip,
> + 			    length, dir);
> +
> +--
> +2.13.0
> +
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> index 261c78427..668d6f5e1 100644
> --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.1.bb
> @@ -11,6 +11,9 @@ SRC_URI = " \
>       file://tcpdump-configure-dlpi.patch \
>       file://add-ptest.patch \
>       file://run-ptest \
> +    file://0001-CVE-2017-11542-PIMv1-Add-a-bounds-check.patch \
> +    file://0001-CVE-2017-11541-In-safeputs-check-the-length-before-c.patch \
> +    file://0001-CVE-2017-11543-Make-sure-the-SLIP-direction-octet-is.patch \
>   "
>   
>   SRC_URI[md5sum] = "1e0293210b0dea5ef18e88e4150394b7"
> 